To print: Click here or Select File and then Print from your browser's menu

This story was printed from silicon.com, located at http://www.silicon.com/

Story URL: http://software.silicon.com/malware/0,3800003100,39351680,00.htm

Vista flaw leaves OS open to DoS attack
Fix coming in next service pack?

By David Meyer

Published: Monday 24 November 2008

A flaw has been found in Windows Vista that could allow rootkits to be hidden or denial-of-service attacks to be executed on computers using the operating system.

The vulnerability was found by Thomas Unterleitner of Austrian security company Phion, and announced on Friday. Unterleitner told silicon.com sister site ZDNet UK on Friday that Phion told Microsoft about the flaw in October but he understood a fix would only be issued in the next Vista service pack.

Security from A to Z

Click on the links below to find out more...

A is for Antivirus
B is for Botnets
C is for CMA
D is for DDoS
E is for Extradition
F is for Federated identity
G is for Google
H is for Hackers
I is for IM
J is for Jaschan (Sven)
K is for Kids
L is for Love Bug
M is for Microsoft
N is for Neologisms
O is for Orange
P is for Passwords
Q is for Questions
R is for Rootkits
S is for Spyware
T is for Two-factor authentication
U is for USB sticks/devices
V is for Virus variants
W is for Wi-fi
X is for OS X
Y is for You
Z is for Zero-day

According to Unterleitner's disclosure of the flaw, the issue lies in the network input/output subsystem of Vista. Certain requests sent to the iphlpapi.dll API can cause a buffer overflow that corrupts the Vista kernel memory, resulting in a blue-screen-of-death crash. "This buffer overflow could [also] be exploited to inject code, hence compromising client security," Unterleitner added.

Unterleitner told ZDNet UK via email that the "exploit can be used to turn off the computer using a [denial-of-service] attack". He also suggested that, because the exploit occurs in the Netio.sys component of Vista, it may make it possible to hide rootkits.

Using a sample program, Unterleitner and his colleagues ascertained that Vista Enterprise and Vista Ultimate were definitely affected by the flaw, with other versions of Microsoft's operating system "very likely" to be affected as well. Both 32-bit and 64-bit versions are vulnerable. Windows XP is not affected.

Asked about the severity of the flaw, Unterleitner pointed out that administrative rights were needed to execute a program calling the function that would cause the buffer overflow. However, he also said it was possible - but not yet confirmed - that someone could use a malformed DCHP packet to "take advantage of the exploit without administrative rights".

"We have worked together with Microsoft Security Response Center in Redmond since October 2008 to locate, classify and fix this bug," Unterleitner wrote. "Microsoft will ship a fix for this exploit with the next Vista service pack."

Microsoft told ZDNet UK on Friday that it had investigated the issue but was "currently unaware of any attacks trying to use the vulnerability or of customer impact". It could not, however, confirm the inclusion of a fix for the problem in the as-yet-unreleased second service pack for Vista, nor give the release date for that service pack.